Connect with us

NEWS

Morocco Whistleblower Details Pegasus Spyware Hits on Guardia Civil

A Moroccan intelligence whistleblower says the DGST used Pegasus spyware since 2017 to target journalists, Spanish ministers and Guardia Civil officers.

Published

on

A former Moroccan intelligence officer has broken years of official denial, revealing that the country’s domestic security service began deploying Pegasus spyware in 2017. The whistleblower, using the pseudonym Safir, describes a four-year campaign that reached journalists, human rights activists, French officials and Spain’s own cabinet.

The testimony anchors a joint investigation by 14 outlets, including Le Monde, Haaretz, El Confidencial, Die Zeit and the Guardian, coordinated by Forbidden Stories with Amnesty International’s Security Lab. Guardia Civil officers sent to train Moroccan counterterrorism units ended up on the target list themselves, and Madrid honored the man suspected of running the operation anyway.

Inside the Rabat Villa Where NSO Made Its Pitch

Rabat has always denied any relationship with NSO Group, the Israel-based maker of Pegasus, and has said journalists investigating the company could never prove a link. Safir’s account, corroborated by two other former Moroccan agents and by leaked material forensically reviewed by Amnesty’s Security Lab, tells a different story.

High-ranking Moroccan intelligence officers and technical experts got their first look at Pegasus in 2017, inside an expensive villa in Rabat that insiders nicknamed “the FSSYS villa.” The name came from FSSYS Maroc, then the Moroccan branch of the UAE-based surveillance intermediary al-Fahad, which frequently used the property for demonstrations.

NSO representatives infected a number of test phones while officers watched, remotely switching on cameras and microphones and pulling data and messages off the devices. Those in the room grasped immediately that Pegasus’s remote-infection power meant they would no longer need physical access to a target’s phone.

Before that, Morocco’s Direction Générale de la Surveillance du Territoire, the country’s domestic intelligence service known as the DGST, worked with far cruder tools. According to Safir, the service leaned on:

  • Old-fashioned human intelligence and informant networks
  • Monitoring dissidents at internet cafe terminals
  • Persuading shopkeepers to sell targets mobile phones preloaded with cheaper spyware

Pegasus was reserved for the costliest, highest-value cases, once those cheaper options had been exhausted. “We never start with Pegasus,” Safir said. “It’s the monster’s weapon.”

The whistleblower described the pricey new tool as effectively a gift, courtesy of the United Arab Emirates.

Millions for the Emiratis, that’s nothing. The Emirates bought it and redistributed it to friendly services. You could say it’s like Netflix: a friend pays for the subscription, and the others use their account.

Safir told the consortium, explaining how Rabat gained access to a tool few security services could otherwise afford. Four unique Moroccan mobile numbers were fed into the system that September, seemingly to test its capabilities, including numbers linked to two DGST staff members.

Within weeks, the numbers of Moroccan journalists and human rights defenders began appearing in the same database. The 2017 demonstration predated the reporting that would eventually show phones belonging to at least 180 journalists were selected in 20 countries by at least 10 NSO clients, from Bahrain and Saudi Arabia to India and Mexico.

Officers Who Trained Morocco’s Spies Became Its Targets

The targeting did not stay inside Morocco’s borders for long. Leaked documents, photographs and testimony from Spanish security forces and a former Moroccan intelligence agent suggest the DGST used its new capability to try to access the communications of Guardia Civil officers who had travelled to Morocco to share counterterrorism expertise.

The personal phone number of one senior Guardia Civil officer appears five times on the list of targets selected for Pegasus surveillance by the end-user believed to be Morocco.

“We spy on everyone,” one former DGST officer told the consortium, adding that the surveillance was carried out “just in case.”

Officers from Spain’s other national police force, the Policía Nacional, use separate mobile devices for sensitive material when travelling to Morocco. The Guardia Civil did not think such precautions were necessary when working with an ally.

“We didn’t do it because we didn’t suspect we would be spied on,” a senior Guardia Civil intelligence officer said. A senior Guardia Civil official called the revelations “a betrayal.”

More Than 200 Spanish Numbers Ended Up on the List

Pegasus project records show more than 200 Spanish mobile numbers were selected for targeting by the user believed to be Morocco. The Spanish numbers are a small slice of a far larger dataset: the original leak examined by Amnesty International and Forbidden Stories in 2021 contained more than 50,000 phone numbers selected by NSO clients worldwide since 2016.

Target Role Country Year(s) Targeted
Aminatou Haidar Western Sahara human rights activist Spain 2018, again in Nov. 2021
Ignacio Cembrero Journalist covering the Maghreb Spain Listed in leaked database
Pedro Sánchez Prime Minister of Spain Spain May 2021
Margarita Robles Defence Minister of Spain Spain June 2021
Fernando Grande-Marlaska Interior Minister of Spain Spain 2021
Luis Planas Agriculture Minister of Spain Spain 2021
Senior Guardia Civil officer Counterterrorism liaison to Morocco Spain Number appears 5 times on target list
Hicham Mansouri Moroccan investigative journalist in exile France Feb. to April 2021, phone infected 20+ times

The targeting of Sánchez and Robles came during a tense diplomatic row. Madrid had allowed Brahim Ghali, president of the Sahrawi Arab Democratic Republic and leader of the Polisario Front, to be treated for Covid-19 at a hospital in northern Spain. The phones of Grande-Marlaska and Planas were revealed as targets later. The Guardian has also reported that at least 38 Moroccan journalists appear among the global list of Pegasus targets.

Spain Handed Its Highest Honor to a Man Suspected of Spying on It

Despite mounting suspicion that Morocco was behind the targeting of Spain’s own cabinet, Interior Minister Fernando Grande-Marlaska last year presented Abdellatif Hammouchi, the DGST’s director general, with the highest honor bestowed by the Guardia Civil, a gendarmerie that reports to both the interior and defence ministries.

One Guardia Civil union objected publicly. Giving the honor “to a man who has faced international accusations of human rights violations and spying,” it said, was an affront to the dignity of the force’s officers.

Court documents assembled by the Pegasus project add weight to the suspicion. One attacker account assigned to Morocco’s Pegasus system, the same one used to target politicians, journalists and human rights defenders in France, was also used to target the phones of Robles and Grande-Marlaska, according to material reviewed by the consortium.

The Codename That Ties NSO’s Paperwork to Rabat

Further evidence of Morocco’s relationship with NSO Group surfaced last year through an unrelated legal fight. WhatsApp’s parent company, Meta, sued NSO Group in US federal court, and an unsealed, redacted presentation given to the board of NSO’s parent company, Q Cyber Technologies, in early August 2018, included a list of Pegasus end-user codenames.

According to reporting by the Israeli newspaper Haaretz, NSO assigns each client country a name built from its first letter and a car manufacturer. Subaru had previously been tied to Saudi Arabia. Morgan has now been identified as Morocco, after former NSO employees confirmed to the consortium that the kingdom was a Pegasus end-user known by that name.

A separate court document released in a related WhatsApp lawsuit found Pegasus was used in a single 2019 hacking campaign against 1,223 WhatsApp users worldwide. Morocco accounted for 69 of those victims, behind only Mexico, India and Bahrain.

NSO Group was placed on a US trade blacklist in November 2021 after the Biden administration determined the company had acted “contrary to the foreign policy and national security interests of the US.” Three weeks later, the Israeli financial newspaper Calcalist reported that Israel’s defence ministry had barred a number of countries, including Morocco and the UAE, from importing Israeli cyber-technology.

Why Do Investigations in Madrid and Paris Keep Stalling?

Spain’s investigating judge closed the Pegasus inquiry in July 2023, reopened it months later after French authorities shared their own evidence, then shelved it again in January 2026. Both times, the reason traces back to Israel, which has refused to let NSO’s chief executive give a statement to Spanish investigators.

The judge said Israel’s refusal to cooperate had violated “the principle of good faith” between countries. France reopened its own probe after receiving a European Investigation Order tied to the hacking of French ministers, MPs, lawyers and journalists, but that inquiry has not produced a public attribution either.

  • What we know – Safir’s account is corroborated by two other former Moroccan intelligence agents and by forensic analysis from Amnesty International’s Security Lab.
  • What we know – The DGST tested Pegasus on Moroccan numbers in September 2017 before expanding to journalists and rights defenders that same month.
  • What we know – No evidence of Pegasus-linked surveillance in Morocco has surfaced since late 2021.
  • What’s unconfirmed – NSO Group, Morocco’s government, the UAE authorities and al-Fahad’s parent company have not responded to requests for comment.
  • What’s unconfirmed – Whether Israel will ever let NSO’s chief executive testify before Spanish or French judges.
  • What’s unconfirmed – Whether any prosecution in Madrid or Paris will formally name Morocco as the perpetrator.

Frequently Asked Questions

What Is Pegasus Spyware and Who Makes It?

Pegasus is spyware built by NSO Group, an Israeli company, that can infect a phone without any click from the target and then give its operator access to messages, calls, photos, location data and the device’s camera and microphone. The tool came under global scrutiny after the original Pegasus Project investigation, coordinated by Forbidden Stories with Amnesty International’s Security Lab, first published its findings in July 2021.

Has Morocco Ever Admitted Using Pegasus?

No. Rabat has denied any relationship with NSO Group since the original 2021 reporting and has filed defamation lawsuits in French courts against Amnesty International and Forbidden Stories. Moroccan officials have repeatedly said journalists investigating the claims never produced material proof of a contract with the company.

Did Spain’s Government Ever Officially Blame Morocco?

No. Spain’s 2023 Annual National Security Report left Morocco out of its espionage chapter entirely, even while naming China and Russia, according to Morocco World News. Defence Minister Margarita Robles has told parliament that the National Intelligence Center filed ten reports to the investigating judge and that the government considers itself the victim, not the source of the leak.

Did the Targeting Spill Into Other Regional Rivalries?

Yes. Separate reporting cited by Middle East Monitor said Moroccan authorities targeted more than 6,000 Algerian phone numbers, including senior politicians and military officers, in 2021, a scandal that contributed to Algeria’s decision to sever diplomatic relations with Rabat that year.

What Happened to NSO Group After the Pegasus Project?

NSO Group has faced a wave of legal fallout beyond Morocco. A US jury found the company liable for illegally hacking WhatsApp users and awarded Meta $167 million in damages, though a judge later cut that figure to $4 million. NSO Group, Morocco’s government and the UAE authorities were all approached for comment on the whistleblower’s account; none had responded by publication, and Spain’s government and its interior, foreign and defence ministries did not respond either.

Logan Pierce is a writer and web publisher with over seven years of experience covering consumer technology. He has published work on independent tech blogs and freelance bylines covering Android devices, privacy focused software, and budget gadgets. Logan founded Oton Technology to publish clear, no nonsense tech news and reviews based on real hands on testing. He has personally tested and reviewed dozens of mid range and budget Android phones, written extensively about app privacy, and built and managed multiple WordPress publications over the past decade. Logan holds a bachelor's degree in English and studied digital marketing at a certificate level.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending